1. Check the eye in the sky to look up the name of the company business enterprise business information search wiki encyclopedia
1.1 eye in the sky to search
1.2 Wikipedia
Gather these micro-channel public number of business enterprises and other assets app
1.3 App collection
Huawei app store
apple store
Seven wheat data
2. Gather company domain
SRC test range
Baidu Company Name
Clouds vulnerability search history
You can search the company name, the domain name search company, search companies can ip
3. subdomain collection
The mining sub-domain using a domain name that was collected subdomain scan tool OneForAll
4. Analyzing cms subdomain
5.ip determine the scope of paragraph
Use iplist.py ip of extracting and generating a custom rule in accordance with paragraph c
Get ipmin.txt ipmax.txt
6.ip port scans and determine service
The first secondary scanning using subdomain acquired ipmin.txt with masscan to nmap port scan and determine service and dig
The second will be collected ipmax.txt with masscan to nmap port scan to determine and simple service scan sensitive documents and access to title selective abandon 403,404,500
7. probed for a variety of unauthorized services
Unauthorized 1.redis (weak passwords)
Detection method
redis-cli -h 指定ip -p 指定端口 -a 指定密码Inside info can be used on the line
2.mongodb unauthorized
Use nmap script probe
nmap -p 27017 --script mongodb-info ip
Use NoSQLBooster connection
3.zookeeper unauthorized access
Use the command under linux
echo envi|nc ip portTo be added
8. ipmin.txt vulnerability scanning content mining
1. scanning sensitive documents
2. detection of suspicious js be linkfinded.py endpoint (before logging in after logging)
3. depth directory FUZZ
9. ipmax.txt sensitive scan document scanning content
403, 404, 500 pages
10. The disclosure of sensitive documents
1.github leak
domain + test domain + admin
password username
127.0.0.1 10.
特殊文件
二级域名三级域名查找
ip查找
其他关键字查找2.Google hacker
For many ip need to bring access path
site:39.134.*.*domain name
domain+intitle:index.of
domain+ext:xml+|+ext:conf+|+ext:cnf+|+ext:reg+|+ext:inf+|+ext:rdp+|+ext:cfg+|+ext:txt+|+ext:ora+|+ext:ini
domain+ext:sql+|+ext:dbf+|+ext:mdb
domain+ext:log
domain+ext:bkf+|+ext:bkp+|+ext:bak+|+ext:old+|+ext:backup
domain+inurl:login+|+intitle:管理+|+intitle:后台+|+intitle:登录+|+intitle:平台+|+inurl:admin+|+inurl:manage+|+intext:登录+|+intext:后台+|+intext:管理
domain+intext:%22sql+syntax+near%22+|+intext:%22syntax+error+has+occurred%22+|+intext:%22incorrect+syntax+near%22+|+intext:%22unexpected+end+of+SQL+command%22+|+intext:%22Warning:+mysql_connect()%22+|+intext:%22Warning:+mysql_query()%22+|+intext:%22Warning:+pg_connect()%22
domain+ext:doc+|+ext:docx+|+ext:odt+|+ext:pdf+|+ext:rtf+|+ext:sxw+|+ext:psw+|+ext:ppt+|+ext:pptx+|+ext:pps+|+ext:csv
domain+ext:php+intitle:phpinfo+%22published+by+the+PHP+Group%22
domain+ext:php+|+ext:asp+|+ext:aspx+|+ext:jsp+|+ext:jspx+|+ext:action
domain+inurl:file+|+inurl:down+|+inurl:upload+|+inurl:url+|+inurl:dir+|+inurl:cmd+|+inurl:log+|+inurl:redirect+|+inurl:uri+|+inurl:path+|+inurl:name+|+inurl:open+inurl:download+|+inurl:filename+|+inurl:downfile+|+inurl:uploadfileTips
The following example, the presence of a station override (override object but hard to guess):
http://xxx.xxx.xxx/userinfo/?uid=2018-WOIDJWOIDJ-5201314Then we can try to use search engines to find:
site:xxx.xxx inurl=uid=203.apk decompile
api interface to query sensitive mail address
https://github.com/s0md3v/Diggy
https://github.com/0xPwny/Apkatshu
oss key keyword
oss
upyun
password
username
root
http
127.0.0.1
key id
Key Secret
bucket bucketName
SECRET_ID
SECRET_KEY
qcloud
APP_ID=
accessKey
secretKey
Qiniu
OBSTo be added reinforcement
4. The network disk search
Internal company xxx
xxx network password
5.fofa, shodan and other search engines in cyberspace
shodan favicon.ico
soft 127.0.0.1/24
6.qq group